Privacy and security assessment of biometric template protection

Biometrics enables convenient authentication based on a person’s physical or behavioral characteristics. In comparison with knowledgeor token-based methods, it links an identity directly to its owner. Furthermore, it can not be forgotten or handed over easily. As biometric techniques have become more and more efficient and accurate, they are widely used in numerous areas. Among the most common application areas are physical and logical access controls, border control, authentication in banking applications and biometric identification in forensics. In this growing field of biometric applications, concerns about privacy and security cannot be neglected. The advantages of biometrics can revert to the opposite easily. The potential misuse of biometric information is not limited to the endangerment of user privacy, since biometric data potentially contain sensitive information like gender, race, state of health, etc. Different applications can be linked through unique biometric data. Additionally, identity theft is a severe threat to identity management, if revocation and reissuing of biometric references are practically impossible. Therefore, template protection techniques are developed to overcome these drawbacks and limitations of biometrics. Their advantage is the creation of multiple secure references from biometric data. These secure references are supposed to be unlinkable and non-invertible in order to achieve the desired level of security and to fulfill privacy requirements. The existing algorithms can be categorized into transformation-based approaches and biometric cryptosystems. The transformation-based approaches deploy different transformation or randomization functions, while the biometric cryptosystems construct secrets from biometric data. The integration in biometric systems is commonly accepted in research and their feasibility according to the recognition performance is proved. Despite of the success of biometric template protection techniques, their security and privacy properties are investigated only limitedly. This predominant deficiency is addressed in this thesis and a systematic evaluation framework for biometric template protection techniques is proposed and demonstrated: Firstly, three main protection goals are identified based on the review of the requirements on template protection techniques. The identified goals can be summarized as security, privacy protection ability and unlinkability. Furthermore, the definitions of privacy and security are given, which allow to quantify the computational complexity estimating a pre-image of a secure template and to measure the hardness of retrieving biometric data respectively. Secondly, three threat models are identified as important prerequisites for the assessment. Threat models define the information about biometric data, system parameters and functions that can be accessed during the evaluation or an attack. The first threat model, so called naive model, assumes that an adversary has very limited information about a system. In the second threat model, the advanced model, we apply Kerckhoffs’ principle and assume that essential details of algorithms as well as properties of biometric data are known. The last threat model assumes that an adversary owns large amount of biometric data and this allows him to exploit inaccuracy of biometric systems. It is called the collision threat model. Finally, a systematic framework for privacy and security assessment is proposed. Before an evaluation process, protection goals and threat models need to be clarified. Based on these, the metrics measuring different protection goals as well as an evaluation process determining the metrics will be developed. Both theoretical evaluation with metrics such as entropy, mutual information and practical evaluation based on individual attacks can be used.